It would be nice to be able to clone this repo into a new directory and have it accessible as the index of that directory. Then the <head> of the sites with which I use this could simply reference <link rel="token_endpoint" href="https://example.com/token/">, rather than <link rel="token_endpoint" href="https://example.com/token/endpoint.php">.

While there are a few reasons for why I used an SQLite database as the storage behind Mintoken, it may be possible to let the user setup any PDO connection they want. That way any storage compatible with PDO will be compatible with Mintoken.

A few things to note:

1. This means the SQLs need to be as globally supported as possible. Is there some standard SQL dialect that should be aimed for?
2. Are there possible security mismatches between different databases?

As far as 2 goes, look into what the security experts from Paragon are doing in EasyDB.

The token should consist of two parts:

1. unique token identifier,
2. random blob.

The first part can be used to query the token information from the database. If this part is faulty, nothing can be retrieved, and an error response can be sent. That is exactly as it is now.

That part might be vulnerable to timing attacks against SQLite’s WHERE clause. This means it would take slightly longer to deny a token starting with a known character, versus one without. (See this issue for a similar thing, and the links therein.) Over time the entire valid token can be found.

Mintoken can use the first part of the token to retrieve the second part of the token from the database. Then PHP can do a constant time comparison between the submitted second part and the second part from the database.

This means the second part is protecting us from timing attacks. Even if an attacker has used timing attacks to discover the complete first part of the token, the same attack can not be used against the second part. This protects the entire token against timing attacks.

Mintoken uses error codes taken from RFC 6750: OAuth 2.0 Bearer Token Usage, 3.1. Error Codes.

An HTTP 401 status code with the invalid_token error is used whenever a faulty bearer token is send as part of the IndieAuth Access Token Verification. Example:

But when a faulty POST request is made, I am not sure which standard to follow. RFC 6750 also features invalid_request:

   invalid_request
         The request is missing a required parameter, includes an
         unsupported parameter or parameter value, repeats the same
         parameter, uses more than one method for including an access
         token, or is otherwise malformed.  The resource server SHOULD
         respond with the HTTP 400 (Bad Request) status code.

Does it make sense to send a HTTP 400 status code, and only put the error in the WWW-Authenticate? That doesn’t feel right. Should a token endpoint respond with a JSON body instead, following RFC 6749: OAuth 2.0, 5.2. Error Response? But then only parameter mistakes return JSON.

Upstream bug in PHP: INPUT_SERVER returns NULL for set variables. Also mentioned as a comment in the PHP documentation for filter_input().

Either switch to reading $_SERVER directly, reading it through filter_var_array(), or falling back to try either of those things when filter_input() returns null.

Currently all tokens are stored in the database as they are. This is fine as long as the database is securely stored in its entirety. But if the database was ever leaked, there is a window of opportunity for the tokens to get used before the owner revokes all of them.

By storing only hashed tokens an attacker would first need to bruteforce the hashes before being able to use any of the tokens. Which may proof to be impossible, or at least give the legitimate owner a safe window in which to revoke their tokens.

• Create clear instructions for MINTOKEN_SQLITE_PATH, including an example.

  Possible example:

  define('MINTOKEN_SQLITE_PATH', '../../tokens.db');

• Give a non-command line alternative for adding trusted endpoints to the settings table.

• Make it clear that one instance of Mintoken can function for multiple websites and multiple authorization endpoints.

Per IndieAuth, 6.3.2 Authorization Code Verification:

The [OAuth 2.0 error response] returned from the authorization endpoint is acceptable to pass through to the client.

I am opening this on behalf of Richard, who was at IndieWebCamp Düsseldorf this weekend. This is also the context: we didn't get Mintoken to work and we had minus 3 minutes until demo time.

The endpoint seemed to crash on an error: array_merge() doesn't accept null as a second argument. This means that in the code below, filter_input_array(INPUT_GET, ['me' ...]) does return null. (Line 278)

I cannot find a mention in the spec of the me param in either the POST-body nor the query string for the token request. But: Gimme-a-token does add the me, just in the POST-body, not the query string (which I think is the INPUT_GET but I am not sure how that works).

When we added a ?me= to the endpoint URL manually, it didn't seem to work either, but that's about all the debug-time we had left.

Can you shine any light on this? Where did me come from and why does Mintoken think it should come from GET?

Not sure what error would be correct here.